[patch 25/33] Fix possible NULL pointer access in 8250 serial driver

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <linux-kernel@...>, <stable@...>, <torvalds@...>

Cc: Justin Forbes <jmforbes@...>, Zwane Mwaikambo <zwane@...>, Theodore Ts'o <tytso@...>, Randy Dunlap <rdunlap@...>, Dave Jones <davej@...>, Chuck Wolber <chuckw@...>, Chris Wedgwood <reviews@...>, Michael Krufky <mkrufky@...>, Chuck Ebbert <cebbert@...>, <akpm@...>, <alan@...>, <izumi2005@...>, <rmk@...>, <kaneshige.kenji@...>

Subject: [patch 25/33] Fix possible NULL pointer access in 8250 serial driver

Date: Thursday, April 26, 2007 - 12:56 pm

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Taku Izumi <izumi2005@soft.fujitsu.com>

I encountered the following kernel panic.  The cause of this problem was
NULL pointer access in check_modem_status() in 8250.c.  I confirmed this
problem is fixed by the attached patch, but I don't know this is the
correct fix.

sadc[4378]: NaT consumption 2216203124768 [1]
Modules linked in: binfmt_misc dm_mirror dm_mod thermal processor fan
container button sg e100 eepro100 mii ehci_hcd ohci_hcd

Pid: 4378, CPU 0, comm: sadc
psr : 00001210085a2010 ifs : 8000000000000289 ip : [<a000000100482071>]
Not tainted
ip is at check_modem_status+0xf1/0x360
unat: 0000000000000000 pfs : 0000000000000289 rsc : 0000000000000003
rnat: 800000000000cc18 bsps: 0000000000000000 pr : 0000000000aa6a99
ldrs: 0000000000000000 ccv : 0000000000000000 fpsr: 0009804c8a70033f
csd : 0000000000000000 ssd : 0000000000000000
b0 : a000000100481fb0 b6 : a0000001004822e0 b7 : a000000100477f20
f6 : 1003e2222222222222222 f7 : 0ffdba200000000000000
f8 : 100018000000000000000 f9 : 10002a000000000000000
f10 : 0fffdccccccccc8c00000 f11 : 1003e0000000000000000
r1 : a000000100b9af40 r2 : 0000000000000008 r3 : a000000100ad4e21
r8 : 00000000000000bb r9 : 0000000000000001 r10 : 0000000000000000
r11 : a000000100ad4d58 r12 : e0000000037b7df0 r13 : e0000000037b0000
r14 : 0000000000000001 r15 : 0000000000000018 r16 : a000000100ad4d6c
r17 : 0000000000000000 r18 : 0000000000000000 r19 : 0000000000000000
r20 : a00000010099bc88 r21 : 00000000000000bb r22 : 00000000000000bb
r23 : c003fffffc0ff3fe r24 : c003fffffc000000 r25 : 00000000000ff3fe
r26 : a0000001009b7ad0 r27 : 0000000000000001 r28 : a0000001009b7ad8
r29 : 0000000000000000 r30 : a0000001009b7ad0 r31 : a0000001009b7ad0

Call Trace:
[<a000000100013940>] show_stack+0x40/0xa0
sp=e0000000037b7810 bsp=e0000000037b1118
[<a0000001000145a0>] show_regs+0x840/0x880
sp=e0000000037b79e0 bsp=e0000000037b10c0
[<a0000001000368e0>] die+0x1c0/0x2c0
sp=e0000000037b79e0 bsp=e0000000037b1078
[<a000000100036a30>] die_if_kernel+0x50/0x80
sp=e0000000037b7a00 bsp=e0000000037b1048
[<a000000100037c40>] ia64_fault+0x11e0/0x1300
sp=e0000000037b7a00 bsp=e0000000037b0fe8
[<a00000010000bdc0>] ia64_leave_kernel+0x0/0x280
sp=e0000000037b7c20 bsp=e0000000037b0fe8
[<a000000100482070>] check_modem_status+0xf0/0x360
sp=e0000000037b7df0 bsp=e0000000037b0fa0
[<a000000100482300>] serial8250_get_mctrl+0x20/0xa0
sp=e0000000037b7df0 bsp=e0000000037b0f80
[<a000000100478170>] uart_read_proc+0x250/0x860
sp=e0000000037b7df0 bsp=e0000000037b0ee0
[<a0000001001c16d0>] proc_file_read+0x1d0/0x4c0
sp=e0000000037b7e10 bsp=e0000000037b0e80
[<a0000001001394b0>] vfs_read+0x1b0/0x300
sp=e0000000037b7e20 bsp=e0000000037b0e30
[<a000000100139cd0>] sys_read+0x70/0xe0
sp=e0000000037b7e20 bsp=e0000000037b0db0
[<a00000010000bc20>] ia64_ret_from_syscall+0x0/0x20
sp=e0000000037b7e30 bsp=e0000000037b0db0
[<a000000000010620>] __kernel_syscall_via_break+0x0/0x20
sp=e0000000037b8000 bsp=e0000000037b0db0


Fix the possible NULL pointer access in check_modem_status() in 8250.c.  The
check_modem_status() would access 'info' member of uart_port structure, but it
is not initialized before uart_open() is called.  The check_modem_status() can
be called through /proc/tty/driver/serial before uart_open() is called.

Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Taku Izumi <izumi2005@soft.fujitsu.com>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/serial/8250.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/serial/8250.c
+++ b/drivers/serial/8250.c
@@ -1289,7 +1289,8 @@ static unsigned int check_modem_status(s
 {
 	unsigned int status = serial_in(up, UART_MSR);
 
-	if (status & UART_MSR_ANY_DELTA && up->ier & UART_IER_MSI) {
+	if (status & UART_MSR_ANY_DELTA && up->ier & UART_IER_MSI &&
+	    up->port.info != NULL) {
 		if (status & UART_MSR_TERI)
 			up->port.icount.rng++;
 		if (status & UART_MSR_DDSR)

-- 
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[patch 00/33] 2.6.20-stable review, Greg KH, (Thu Apr 26, 12:54 pm)

Re: [patch 00/33] 2.6.20-stable review, Wu, Bryan, (Fri Apr 27, 6:15 am)

Re: [patch 00/33] 2.6.20-stable review, Greg KH, (Fri Apr 27, 11:13 am)

Re: [patch 00/33] 2.6.20-stable review, Bryan WU, (Sat Apr 28, 12:21 am)

Re: [patch 00/33] 2.6.20-stable review, Greg KH, (Sat Apr 28, 1:48 am)

Re: [patch 00/33] 2.6.20-stable review, Bryan WU, (Sat Apr 28, 2:46 am)

Re: [patch 00/33] 2.6.20-stable review, Linus Torvalds, (Sat Apr 28, 12:24 pm)

Re: [patch 00/33] 2.6.20-stable review, Greg KH, (Sat Apr 28, 3:01 am)

Re: [patch 00/33] 2.6.20-stable review, Jesper Juhl, (Fri Apr 27, 7:05 am)

Re: [patch 00/33] 2.6.20-stable review, Chuck Ebbert, (Fri Apr 27, 9:47 am)

Re: [patch 00/33] 2.6.20-stable review, Chuck Ebbert, (Thu Apr 26, 4:29 pm)

Re: [patch 00/33] 2.6.20-stable review, David Lang, (Thu Apr 26, 12:48 pm)

Re: [patch 00/33] 2.6.20-stable review, Greg KH, (Thu Apr 26, 1:30 pm)

Re: [stable] [patch 00/33] 2.6.20-stable review, Chris Wright, (Thu Apr 26, 1:45 pm)

[patch 04/33] KVM: MMU: Fix guest writes to nonpae pde, Greg KH, (Thu Apr 26, 12:55 pm)

[patch 09/33] holepunch: fix mmap_sem i_mutex deadlock, Greg KH, (Thu Apr 26, 12:55 pm)

[patch 13/33] Fix bogus inline directive in sparc64 PCI code, Greg KH, (Thu Apr 26, 12:55 pm)

[patch 03/33] HID: zeroing of bytes in output fields is bogus, Greg KH, (Thu Apr 26, 12:55 pm)

[patch 10/33] Fix sparc64 SBUS IOMMU allocator, Greg KH, (Thu Apr 26, 12:55 pm)

[patch 11/33] Fix qlogicpti DMA unmapping, Greg KH, (Thu Apr 26, 12:55 pm)

[patch 12/33] Fix compat sys_ipc() on sparc64, Greg KH, (Thu Apr 26, 12:55 pm)

[patch 08/33] holepunch: fix disconnected pages after second..., Greg KH, (Thu Apr 26, 12:55 pm)

[patch 26/33] page migration: fix NR_FILE_PAGES accounting, Greg KH, (Thu Apr 26, 12:56 pm)

[patch 22/33] 3w-xxxx: fix oops caused by incorrect REQUEST_..., Greg KH, (Thu Apr 26, 12:56 pm)

[patch 21/33] vt: fix potential race in VT_WAITACTIVE handler, Greg KH, (Thu Apr 26, 12:56 pm)

[patch 25/33] Fix possible NULL pointer access in 8250 seria..., Greg KH, (Thu Apr 26, 12:56 pm)

[patch 20/33] x86: Dont probe for DDC on VBE1.2, Greg KH, (Thu Apr 26, 12:56 pm)

[patch 19/33] NFS: Fix an Oops in nfs_setattr(), Greg KH, (Thu Apr 26, 12:56 pm)

[patch 18/33] exec.c: fix coredump to pipe problem and obscu..., Greg KH, (Thu Apr 26, 12:56 pm)

[patch 28/33] reiserfs: fix xattr root locking/refcount bug, Greg KH, (Thu Apr 26, 12:57 pm)

Re: [patch 00/33] 2.6.20-stable review, Greg KH, (Thu Apr 26, 1:01 pm)

[patch 33/33] Revert "adjust legacy IDE resource setting (v2)", Greg KH, (Thu Apr 26, 12:57 pm)

[patch 17/33] cache_k8_northbridges() overflows beyond alloc..., Greg KH, (Thu Apr 26, 12:56 pm)

[patch 31/33] AGPGART: intel_agp: fix G965 GTT size detect, Greg KH, (Thu Apr 26, 12:57 pm)

[patch 30/33] ALSA: intel8x0 - Fix speaker output after S2RAM, Greg KH, (Thu Apr 26, 12:57 pm)

[patch 29/33] hwmon/w83627ehf: Fix the fan5 clock divider wr..., Greg KH, (Thu Apr 26, 12:57 pm)

[patch 23/33] fix bogon in /dev/mem mmaping on nommu, Greg KH, (Thu Apr 26, 12:56 pm)

[patch 32/33] cfq-iosched: fix alias + front merge bug, Greg KH, (Thu Apr 26, 12:57 pm)

[patch 27/33] Taskstats fix the structure members alignment ..., Greg KH, (Thu Apr 26, 12:57 pm)

[patch 14/33] Fix errors in tcp_memcalculations., Greg KH, (Thu Apr 26, 12:55 pm)

[patch 24/33] fix OOM killing processes wrongly thought MPOL..., Greg KH, (Thu Apr 26, 12:56 pm)

[patch 15/33] Fix netpoll UDP input path, Greg KH, (Thu Apr 26, 12:56 pm)

[patch 16/33] Fix IRDA oopser, Greg KH, (Thu Apr 26, 12:56 pm)

[patch 07/33] holepunch: fix shmem_truncate_range punch lock..., Greg KH, (Thu Apr 26, 12:55 pm)

[patch 02/33] IB/mthca: Fix data corruption after FMR unmap ..., Greg KH, (Thu Apr 26, 12:55 pm)

[patch 05/33] KVM: MMU: Fix host memory corruption on i386 w..., Greg KH, (Thu Apr 26, 12:55 pm)

[patch 01/33] knfsd: Use a spinlock to protect sk_info_authu..., Greg KH, (Thu Apr 26, 12:54 pm)

[patch 06/33] holepunch: fix shmem_truncate_range punching t..., Greg KH, (Thu Apr 26, 12:55 pm)


linux-kernel:
Greg Kroah-Hartman	[PATCH 001/196] Chinese: Add the known_regression URI to the HOWTO
Andrew Morton	-mm merge plans for 2.6.23
david	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
git:

linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
PJ Waskiewicz	[ANNOUNCE] ixgbe: Data Center Bridging (DCB) support for ixgbe
David Miller	Re: [GIT]: Networking
openbsd-misc:

[patch 25/33] Fix possible NULL pointer access in 8250 serial driver

Online users